For Secure & Robust ICS

Are We Spending Enough or Too Much On Security?

The closing session of the Workshop on the Economics of Information Security (WEIS) was a very interesting debate between Dr. Ross Anderson and Bruce Schneier on the topic of spending on information security. Ross argued that we don’t spend enough, and Bruce argued maybe we spend too much.

Interestingly this is the same debate they had ten years ago at the first WEIS, except they switched sides.

Bruce Schneier

His main point is the cyber threat is exaggerated. And it will likely be even more exaggerated as we enter a cyber arms race because “arms races are fueled by fear and ignorance”.

Bruce stressed that there are economic incentives to exaggerate the threat. Military and intelligence agencies exaggerate the threat to get more funding. Security product and consulting vendors exaggerate to get more sales. Even security staffs in company’s exaggerate the threat to get more staff and new shiny products.

He pointed to the US ~$100B annual spending on counter terrorism has grown to that level due to threat exaggeration because the expected loss would not come close to that value.

Ten years ago Ross argued that inefficient security spending was the main problem, not the amount spent. Bruce agreed with this today and pointed to the growth in compliance as the main culprit saying it is “critically wasting resources”. He talked about the difference in spending money to improve security or spending money to convince someone you improved security.

One surprise to Bruce over the last ten years is that insurance policies for cyber losses are not widespread. His assumption is this is because insurance companies don’t have good data to write and price the policies — and that the data can change so quickly.

Ross Anderson

Ross was convinced the problem is we don’t spend enough money catching cybercrooks. He had some data points and pointed statements:

His strongest example was the takedown of the Rustock botnet. Rustock sent an estimated 30% of the spam in 2010. The cost of fighting spam was $1B in 2010 so he extrapolated the cost of fighting Rustock to be $300M. Therefore if spending $10M more in cyber cops to take down a large botnet it is a good expenditure. FYI, Rustock earned only an estimated $2.7M in 2010.

The UK spends $170m for anti-virus yet the clean up costs for malware in the UK is still $500M. The cyber policing effort in the UK gets $15M. (all annual numbers)

The US Government spents $100M on fighting cyber crime, about the same amount as Google and other large software companies.

Cyberlobbyists are a problem driving money to intelligence budgets and security company products and services where they are not needed. In this, Bruce and Ross agreed.

“You will get more results from funding FBI than NSA”

The follow on discussion was fantastic and too brief.

Bruce pointed out that a challenge for law enforcement is jurisdiction shopping where criminals go to countries that don’t have or choose to not enforce laws.

Ross was co-author of a paper that also had prioritize law enforcement as a conclusion. This was based on the fact that the direct costs (the cost to the affected company) were small and the indirect costs (the costs to large numbers of citizens or society) were large for some new categories of cybercrime. Therefore companies would not have an incentive to address the crime. Cyber cops would be the answer to reduce the crime and indirect costs.

The authors of the paper did admit that they had no data to support that the increase in cyber cops would result in a decrease in cyber crime. I’m skeptical given the anecdotal evidence/experience that I have observed the last three years. I’m also curious how many additional cyber cops would be required to reduce cyber crime. The small increases in gross numbers but large increases on a percentage basis did not reduce cyber crime, but proponents could argue it reduced the growth rate.

Was there any discussion on where the money was being spent, and whether or not spending money in those areas was adding value?

Certainly, we aren’t spending enough on testing software for common vulnerabilities right now. And with all the emphasis in regulations on protecting control system software with bolt-ons, a little up front cyber security design could be appropriate in any budget.

@Ralph, presumably the economic incentives to downplay the right are incorporated into the asset owner’s risk analysis. If an asset owner incorrectly downplays a threat and the threat occurs, the asset owner has to eat the cost.

Contrast this with the scenario where someone incorrectly exaggerates the threat and procures funding for more security — e.g. if there is no attack, the procurer may claim that the additional security measures deterred the attack. And if there is an attack anyway, the procurer can always say “that proves more security is needed!”

That’s an over-simplification of course, but I think that was Bruce’s point.

Dale's Tweets

About Us

Digital Bond was founded in 1998 and performed our first control system security assessment in the year 2000. Over the last sixteen years we have helped many asset owners and vendors improve the security and reliability of their ICS, and our S4 events are an opportunity for technical experts and thought leaders to connect and move the ICS community forward.